Where to start...?
First, and most important, nobody has SAP_ALL in the production client. Not even Basis. Nobody. No exceptions. Well, there are exceptions, but they are, rare. The only time anybody here has SAP_ALL in production is during upgrade weekends.
Second, every site's Basis job role is different. Some of the standard SAP-provided roles might be close to what you need. None of them will be exactly right. You are much better starting with an empty role and adding transactions as needed.
While doing this, don't blindly believe Basis when they say they need a particular transaction. They don't need SE38/SA38, or SE16, for example. Not on a permanent basis anyway. Maybe on rare occasions to implement an OSS note or similar. Think carefully about each request and what it will allow them to do. If you don't use a GRC application to automatically check for unfortunate combinations of transactions, think very carefully about each request.
Finally, notice I said above Production client. You will typically have one production client in your system, along with client 000. You may find it acceptable to give Basis more access in client 000 than you'd be comfortable giving them in the production client, since they don't have access to transactional data. Much of what Basis needs to do is client independent, so this works quite well.
This stuff isn't easy. There are no simple answers, and no simple solutions. Think about it carefully or your auditors will ultimately give you a hard time, and for good reason.
Hope some of that helps.
Steve.